4 files changed, 199 insertions, 16 deletions
diff --git a/flake.lock b/flake.lock
index 8a6771bd..9dff76d1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -63,6 +63,21 @@
        "type": "gitlab"
      }
    },
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": [
@@ -142,6 +157,22 @@
    "flake-compat_4": {
      "flake": false,
      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_5": {
+      "flake": false,
+      "locked": {
        "lastModified": 1673956053,
        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
@@ -193,6 +224,27 @@
    },
    "flake-parts_3": {
      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_4": {
+      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib_3"
      },
      "locked": {
@@ -306,6 +358,28 @@
    "gitignore_3": {
      "inputs": {
        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gitignore_4": {
+      "inputs": {
+        "nixpkgs": [
          "prometheus-borg-exporter",
          "pre-commit-hooks-nix",
          "nixpkgs"
@@ -383,6 +457,32 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat_4",
+        "flake-parts": "flake-parts_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix_3",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "leapseconds": {
      "flake": false,
      "locked": {
@@ -402,7 +502,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable_2",
+        "nixpkgs-stable": "nixpkgs-stable_3",
        "xwayland-satellite-stable": "xwayland-satellite-stable",
        "xwayland-satellite-unstable": "xwayland-satellite-unstable"
      },
@@ -664,6 +764,22 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_3": {
+      "locked": {
        "lastModified": 1752308619,
        "narHash": "sha256-pzrVLKRQNPrii06Rm09Q0i0dq3wt2t2pciT/GNq5EZQ=",
        "owner": "NixOS",
@@ -678,7 +794,7 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable_3": {
+    "nixpkgs-stable_4": {
      "locked": {
        "lastModified": 1748026580,
        "narHash": "sha256-rWtXrcIzU5wm/C8F9LWvUfBGu5U5E7cFzPYT1pHIJaQ=",
@@ -694,7 +810,7 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable_4": {
+    "nixpkgs-stable_5": {
      "locked": {
        "lastModified": 1678872516,
        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
@@ -842,11 +958,38 @@
    },
    "pre-commit-hooks-nix_3": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": [
-        "flake-utils": "flake-utils_2",
+          "lanzaboote",
+          "flake-compat"
+        ],
        "gitignore": "gitignore_3",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix_4": {
+      "inputs": {
+        "flake-compat": "flake-compat_5",
+        "flake-utils": "flake-utils_2",
+        "gitignore": "gitignore_4",
        "nixpkgs": "nixpkgs_3",
-        "nixpkgs-stable": "nixpkgs-stable_4"
+        "nixpkgs-stable": "nixpkgs-stable_5"
      },
      "locked": {
        "lastModified": 1685361114,
@@ -864,14 +1007,14 @@
    },
    "prometheus-borg-exporter": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_4",
        "nixpkgs": [
          "nixpkgs"
        ],
        "poetry2nix": [
          "poetry2nix"
        ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix_3"
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix_4"
      },
      "locked": {
        "lastModified": 1722088088,
@@ -974,6 +1117,7 @@
        "home-manager": "home-manager",
        "home-manager-eostre": "home-manager-eostre",
        "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
        "niri-flake": "niri-flake",
        "nix-index-database": "nix-index-database",
        "nix-monitored": "nix-monitored",
@@ -982,7 +1126,7 @@
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-eostre": "nixpkgs-eostre",
        "nixpkgs-pgbackrest": "nixpkgs-pgbackrest",
-        "nixpkgs-stable": "nixpkgs-stable_3",
+        "nixpkgs-stable": "nixpkgs-stable_4",
        "nvfetcher": "nvfetcher",
        "poetry2nix": "poetry2nix",
        "prometheus-borg-exporter": "prometheus-borg-exporter",
@@ -993,6 +1137,27 @@
        "waybar": "waybar"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
diff --git a/flake.nix b/flake.nix
index 8380f9c7..b9382c6f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -221,6 +221,14 @@
        nixpkgs.follows = "nixpkgs";
      };
    };
+    lanzaboote = {
+      type = "github";
+      owner = "nix-community";
+      repo = "lanzaboote";
+      ref = "v0.4.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };
  outputs = { self, nixpkgs, home-manager, sops-nix, deploy-rs, nvfetcher, niri-flake, ... }@inputs:
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 4cb6162e..4cdd4aa7 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -13,7 +13,7 @@ in {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
    ./email ./libvirt ./greetd
-    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
+    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
    flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
    flakeInputs.impermanence.nixosModules.impermanence
    flakeInputs.nixVirt.nixosModules.default
@@ -51,13 +51,8 @@ in {
      blacklistedKernelModules = [ "nouveau" ];
-      # Use the systemd-boot EFI boot loader.
+      lanzaboote.configurationLimit = 15;
      loader = {
-        systemd-boot = {
-          enable = true;
-          configurationLimit = 15;
-          netbootxyz.enable = true;
-        };
        efi.canTouchEfiVariables = true;
        timeout = null;
      };
@@ -679,6 +674,7 @@ in {
        "/var/lib/upower"
        "/var/lib/postfix"
        "/etc/NetworkManager/system-connections"
+        config.boot.lanzaboote.pkiBundle
      ];
      files = [
      ];
diff --git a/system-profiles/lanzaboote.nix b/system-profiles/lanzaboote.nix
new file mode 100644
index 00000000..f1e179cf
--- /dev/null
+++ b/system-profiles/lanzaboote.nix
@@ -0,0 +1,14 @@
+{ flakeInputs, pkgs, ... }:
+{
+  imports = [
+    flakeInputs.lanzaboote.nixosModules.lanzaboote
+  ];
+  config = {
+    environment.systemPackages = [ pkgs.sbctl ];
+    boot.lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+}

diff --git a/flake.lock b/flake.lock index 8a6771bd..9dff76d1 100644 --- a/flake.lock +++ b/flake.lock
@@ -63,6 +63,21 @@
63	"type": "gitlab"	63	"type": "gitlab"
64	}	64	}
65	},	65	},
		66	"crane": {
		67	"locked": {
		68	"lastModified": 1731098351,
		69	"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
		70	"owner": "ipetkov",
		71	"repo": "crane",
		72	"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
		73	"type": "github"
		74	},
		75	"original": {
		76	"owner": "ipetkov",
		77	"repo": "crane",
		78	"type": "github"
		79	}
		80	},
66	"deploy-rs": {	81	"deploy-rs": {
67	"inputs": {	82	"inputs": {
68	"flake-compat": [	83	"flake-compat": [
@@ -142,6 +157,22 @@
142	"flake-compat_4": {	157	"flake-compat_4": {
143	"flake": false,	158	"flake": false,
144	"locked": {	159	"locked": {
		160	"lastModified": 1696426674,
		161	"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
		162	"owner": "edolstra",
		163	"repo": "flake-compat",
		164	"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
		165	"type": "github"
		166	},
		167	"original": {
		168	"owner": "edolstra",
		169	"repo": "flake-compat",
		170	"type": "github"
		171	}
		172	},
		173	"flake-compat_5": {
		174	"flake": false,
		175	"locked": {
145	"lastModified": 1673956053,	176	"lastModified": 1673956053,
146	"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",	177	"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
147	"owner": "edolstra",	178	"owner": "edolstra",
@@ -193,6 +224,27 @@
193	},	224	},
194	"flake-parts_3": {	225	"flake-parts_3": {
195	"inputs": {	226	"inputs": {
		227	"nixpkgs-lib": [
		228	"lanzaboote",
		229	"nixpkgs"
		230	]
		231	},
		232	"locked": {
		233	"lastModified": 1730504689,
		234	"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
		235	"owner": "hercules-ci",
		236	"repo": "flake-parts",
		237	"rev": "506278e768c2a08bec68eb62932193e341f55c90",
		238	"type": "github"
		239	},
		240	"original": {
		241	"owner": "hercules-ci",
		242	"repo": "flake-parts",
		243	"type": "github"
		244	}
		245	},
		246	"flake-parts_4": {
		247	"inputs": {
196	"nixpkgs-lib": "nixpkgs-lib_3"	248	"nixpkgs-lib": "nixpkgs-lib_3"
197	},	249	},
198	"locked": {	250	"locked": {
@@ -306,6 +358,28 @@
306	"gitignore_3": {	358	"gitignore_3": {
307	"inputs": {	359	"inputs": {
308	"nixpkgs": [	360	"nixpkgs": [
		361	"lanzaboote",
		362	"pre-commit-hooks-nix",
		363	"nixpkgs"
		364	]
		365	},
		366	"locked": {
		367	"lastModified": 1709087332,
		368	"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
		369	"owner": "hercules-ci",
		370	"repo": "gitignore.nix",
		371	"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
		372	"type": "github"
		373	},
		374	"original": {
		375	"owner": "hercules-ci",
		376	"repo": "gitignore.nix",
		377	"type": "github"
		378	}
		379	},
		380	"gitignore_4": {
		381	"inputs": {
		382	"nixpkgs": [
309	"prometheus-borg-exporter",	383	"prometheus-borg-exporter",
310	"pre-commit-hooks-nix",	384	"pre-commit-hooks-nix",
311	"nixpkgs"	385	"nixpkgs"
@@ -383,6 +457,32 @@
383	"type": "github"	457	"type": "github"
384	}	458	}
385	},	459	},
		460	"lanzaboote": {
		461	"inputs": {
		462	"crane": "crane",
		463	"flake-compat": "flake-compat_4",
		464	"flake-parts": "flake-parts_3",
		465	"nixpkgs": [
		466	"nixpkgs"
		467	],
		468	"pre-commit-hooks-nix": "pre-commit-hooks-nix_3",
		469	"rust-overlay": "rust-overlay"
		470	},
		471	"locked": {
		472	"lastModified": 1737639419,
		473	"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
		474	"owner": "nix-community",
		475	"repo": "lanzaboote",
		476	"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
		477	"type": "github"
		478	},
		479	"original": {
		480	"owner": "nix-community",
		481	"ref": "v0.4.2",
		482	"repo": "lanzaboote",
		483	"type": "github"
		484	}
		485	},
386	"leapseconds": {	486	"leapseconds": {
387	"flake": false,	487	"flake": false,
388	"locked": {	488	"locked": {
@@ -402,7 +502,7 @@
402	"nixpkgs": [	502	"nixpkgs": [
403	"nixpkgs"	503	"nixpkgs"
404	],	504	],
405	"nixpkgs-stable": "nixpkgs-stable_2",	505	"nixpkgs-stable": "nixpkgs-stable_3",
406	"xwayland-satellite-stable": "xwayland-satellite-stable",	506	"xwayland-satellite-stable": "xwayland-satellite-stable",
407	"xwayland-satellite-unstable": "xwayland-satellite-unstable"	507	"xwayland-satellite-unstable": "xwayland-satellite-unstable"
408	},	508	},
@@ -664,6 +764,22 @@
664	},	764	},
665	"nixpkgs-stable_2": {	765	"nixpkgs-stable_2": {
666	"locked": {	766	"locked": {
		767	"lastModified": 1730741070,
		768	"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
		769	"owner": "NixOS",
		770	"repo": "nixpkgs",
		771	"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
		772	"type": "github"
		773	},
		774	"original": {
		775	"owner": "NixOS",
		776	"ref": "nixos-24.05",
		777	"repo": "nixpkgs",
		778	"type": "github"
		779	}
		780	},
		781	"nixpkgs-stable_3": {
		782	"locked": {
667	"lastModified": 1752308619,	783	"lastModified": 1752308619,
668	"narHash": "sha256-pzrVLKRQNPrii06Rm09Q0i0dq3wt2t2pciT/GNq5EZQ=",	784	"narHash": "sha256-pzrVLKRQNPrii06Rm09Q0i0dq3wt2t2pciT/GNq5EZQ=",
669	"owner": "NixOS",	785	"owner": "NixOS",
@@ -678,7 +794,7 @@
678	"type": "github"	794	"type": "github"
679	}	795	}
680	},	796	},
681	"nixpkgs-stable_3": {	797	"nixpkgs-stable_4": {
682	"locked": {	798	"locked": {
683	"lastModified": 1748026580,	799	"lastModified": 1748026580,
684	"narHash": "sha256-rWtXrcIzU5wm/C8F9LWvUfBGu5U5E7cFzPYT1pHIJaQ=",	800	"narHash": "sha256-rWtXrcIzU5wm/C8F9LWvUfBGu5U5E7cFzPYT1pHIJaQ=",
@@ -694,7 +810,7 @@
694	"type": "github"	810	"type": "github"
695	}	811	}
696	},	812	},
697	"nixpkgs-stable_4": {	813	"nixpkgs-stable_5": {
698	"locked": {	814	"locked": {
699	"lastModified": 1678872516,	815	"lastModified": 1678872516,
700	"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",	816	"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
@@ -842,11 +958,38 @@
842	},	958	},
843	"pre-commit-hooks-nix_3": {	959	"pre-commit-hooks-nix_3": {
844	"inputs": {	960	"inputs": {
845	"flake-compat": "flake-compat_4",	961	"flake-compat": [
846	"flake-utils": "flake-utils_2",	962	"lanzaboote",
		963	"flake-compat"
		964	],
847	"gitignore": "gitignore_3",	965	"gitignore": "gitignore_3",
		966	"nixpkgs": [
		967	"lanzaboote",
		968	"nixpkgs"
		969	],
		970	"nixpkgs-stable": "nixpkgs-stable_2"
		971	},
		972	"locked": {
		973	"lastModified": 1731363552,
		974	"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
		975	"owner": "cachix",
		976	"repo": "pre-commit-hooks.nix",
		977	"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
		978	"type": "github"
		979	},
		980	"original": {
		981	"owner": "cachix",
		982	"repo": "pre-commit-hooks.nix",
		983	"type": "github"
		984	}
		985	},
		986	"pre-commit-hooks-nix_4": {
		987	"inputs": {
		988	"flake-compat": "flake-compat_5",
		989	"flake-utils": "flake-utils_2",
		990	"gitignore": "gitignore_4",
848	"nixpkgs": "nixpkgs_3",	991	"nixpkgs": "nixpkgs_3",
849	"nixpkgs-stable": "nixpkgs-stable_4"	992	"nixpkgs-stable": "nixpkgs-stable_5"
850	},	993	},
851	"locked": {	994	"locked": {
852	"lastModified": 1685361114,	995	"lastModified": 1685361114,
@@ -864,14 +1007,14 @@
864	},	1007	},
865	"prometheus-borg-exporter": {	1008	"prometheus-borg-exporter": {
866	"inputs": {	1009	"inputs": {
867	"flake-parts": "flake-parts_3",	1010	"flake-parts": "flake-parts_4",
868	"nixpkgs": [	1011	"nixpkgs": [
869	"nixpkgs"	1012	"nixpkgs"
870	],	1013	],
871	"poetry2nix": [	1014	"poetry2nix": [
872	"poetry2nix"	1015	"poetry2nix"
873	],	1016	],
874	"pre-commit-hooks-nix": "pre-commit-hooks-nix_3"	1017	"pre-commit-hooks-nix": "pre-commit-hooks-nix_4"
875	},	1018	},
876	"locked": {	1019	"locked": {
877	"lastModified": 1722088088,	1020	"lastModified": 1722088088,
@@ -974,6 +1117,7 @@
974	"home-manager": "home-manager",	1117	"home-manager": "home-manager",
975	"home-manager-eostre": "home-manager-eostre",	1118	"home-manager-eostre": "home-manager-eostre",
976	"impermanence": "impermanence",	1119	"impermanence": "impermanence",
		1120	"lanzaboote": "lanzaboote",
977	"niri-flake": "niri-flake",	1121	"niri-flake": "niri-flake",
978	"nix-index-database": "nix-index-database",	1122	"nix-index-database": "nix-index-database",
979	"nix-monitored": "nix-monitored",	1123	"nix-monitored": "nix-monitored",
@@ -982,7 +1126,7 @@
982	"nixpkgs": "nixpkgs_2",	1126	"nixpkgs": "nixpkgs_2",
983	"nixpkgs-eostre": "nixpkgs-eostre",	1127	"nixpkgs-eostre": "nixpkgs-eostre",
984	"nixpkgs-pgbackrest": "nixpkgs-pgbackrest",	1128	"nixpkgs-pgbackrest": "nixpkgs-pgbackrest",
985	"nixpkgs-stable": "nixpkgs-stable_3",	1129	"nixpkgs-stable": "nixpkgs-stable_4",
986	"nvfetcher": "nvfetcher",	1130	"nvfetcher": "nvfetcher",
987	"poetry2nix": "poetry2nix",	1131	"poetry2nix": "poetry2nix",
988	"prometheus-borg-exporter": "prometheus-borg-exporter",	1132	"prometheus-borg-exporter": "prometheus-borg-exporter",
@@ -993,6 +1137,27 @@
993	"waybar": "waybar"	1137	"waybar": "waybar"
994	}	1138	}
995	},	1139	},
		1140	"rust-overlay": {
		1141	"inputs": {
		1142	"nixpkgs": [
		1143	"lanzaboote",
		1144	"nixpkgs"
		1145	]
		1146	},
		1147	"locked": {
		1148	"lastModified": 1731897198,
		1149	"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
		1150	"owner": "oxalica",
		1151	"repo": "rust-overlay",
		1152	"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
		1153	"type": "github"
		1154	},
		1155	"original": {
		1156	"owner": "oxalica",
		1157	"repo": "rust-overlay",
		1158	"type": "github"
		1159	}
		1160	},
996	"sops-nix": {	1161	"sops-nix": {
997	"inputs": {	1162	"inputs": {
998	"nixpkgs": [	1163	"nixpkgs": [


diff --git a/flake.nix b/flake.nix index 8380f9c7..b9382c6f 100644 --- a/flake.nix +++ b/flake.nix
@@ -221,6 +221,14 @@
221	nixpkgs.follows = "nixpkgs";	221	nixpkgs.follows = "nixpkgs";
222	};	222	};
223	};	223	};
		224	lanzaboote = {
		225	type = "github";
		226	owner = "nix-community";
		227	repo = "lanzaboote";
		228	ref = "v0.4.2";
		229
		230	inputs.nixpkgs.follows = "nixpkgs";
		231	};
224	};	232	};
225		233
226	outputs = { self, nixpkgs, home-manager, sops-nix, deploy-rs, nvfetcher, niri-flake, ... }@inputs:	234	outputs = { self, nixpkgs, home-manager, sops-nix, deploy-rs, nvfetcher, niri-flake, ... }@inputs:


diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 4cb6162e..4cdd4aa7 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -13,7 +13,7 @@ in {
13	imports = with flake.nixosModules.systemProfiles; [	13	imports = with flake.nixosModules.systemProfiles; [
14	./hw.nix	14	./hw.nix
15	./email ./libvirt ./greetd	15	./email ./libvirt ./greetd
16	tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager	16	tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
17	flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1	17	flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18	flakeInputs.impermanence.nixosModules.impermanence	18	flakeInputs.impermanence.nixosModules.impermanence
19	flakeInputs.nixVirt.nixosModules.default	19	flakeInputs.nixVirt.nixosModules.default
@@ -51,13 +51,8 @@ in {
51		51
52	blacklistedKernelModules = [ "nouveau" ];	52	blacklistedKernelModules = [ "nouveau" ];
53		53
54	# Use the systemd-boot EFI boot loader.	54	lanzaboote.configurationLimit = 15;
55	loader = {	55	loader = {
56	systemd-boot = {
57	enable = true;
58	configurationLimit = 15;
59	netbootxyz.enable = true;
60	};
61	efi.canTouchEfiVariables = true;	56	efi.canTouchEfiVariables = true;
62	timeout = null;	57	timeout = null;
63	};	58	};
@@ -679,6 +674,7 @@ in {
679	"/var/lib/upower"	674	"/var/lib/upower"
680	"/var/lib/postfix"	675	"/var/lib/postfix"
681	"/etc/NetworkManager/system-connections"	676	"/etc/NetworkManager/system-connections"
		677	config.boot.lanzaboote.pkiBundle
682	];	678	];
683	files = [	679	files = [
684	];	680	];


diff --git a/system-profiles/lanzaboote.nix b/system-profiles/lanzaboote.nix new file mode 100644 index 00000000..f1e179cf --- /dev/null +++ b/system-profiles/lanzaboote.nix
@@ -0,0 +1,14 @@
		1	{ flakeInputs, pkgs, ... }:
		2	{
		3	imports = [
		4	flakeInputs.lanzaboote.nixosModules.lanzaboote
		5	];
		6
		7	config = {
		8	environment.systemPackages = [ pkgs.sbctl ];
		9	boot.lanzaboote = {
		10	enable = true;
		11	pkiBundle = "/var/lib/sbctl";
		12	};
		13	};
		14	}